Aside from SSL (which I wouldn't even know where to begin at this point). Is there not a way to determine what gets sent with the headers or to block the referring address from another site?
B. ----- Original Message ----- From: "Haseeb Iqbal" <[EMAIL PROTECTED]> To: "Beauford.2002" <[EMAIL PROTECTED]> Sent: Saturday, March 29, 2003 10:04 PM Subject: Re: [PHP] Session Theft > the session is created such that a file is created that (the file contains > all the variables for that perticular user) referenced by the session id. > now consider a situation where the user open a link to external site and > that external site is recording all the link where the user is comming > from.that is done by $_SERVER['HTTP_REFERER'] (in php). now suppose the user > did not closed the session and the external websites author (suppose is not > a person with ethics) uses that rederer address.and then what heppens.HE IS > IN another persons account.now he can do anything the REAL user can do. > now you should have the idea how it can be stolen. > > now for the security. you can conduct everything over ssl. this is what i > got when i posted my message on this list. > what i am doing is i am gathering every bit of information from the user.and > storing that information along with some extra things this will minimize the > risk but it won't completly remove the risk. > > i am still learning how to master this field.if you get any idea lemme know. > > regards > Haseeb > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
